The EU GDPR (General Data Protection Regulation) states that you need to identify a lawful basis before processing personal data. But, what is a lawful basis for processing? Do you always need individuals’ consent to process their data? And what is meant by the term ‘legitimate interests’?
The GDPR defines processing as “any operation or set of operations that is performed on personal data. Whether by automated means or not, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure, or destruction”.
Identify your Basis for Processing
Before you do any of these things, you need to identify a lawful basis for doing so, according to Article 6.
Except for special categories of personal data (sensitive data), which you cannot process except under certain circumstances. There are six lawful bases for processing. They are:
- If the data subject gives their explicit consent; or if processing is necessary
- For you to meet contractual obligations entered into by the data subject
- To comply with the data controller’s legal obligations
- In protecting the data subject’s vital interests
- Tasks carried out in the public interest or exercise of authority vested in the data controller, or
- For the purposes of legitimate interests pursued by the data controller.
Below we discuss how to choose the most appropriate one for you.
Lawfulness of processing under the GDPR
“Consent should be given by a clear affirmative act. Establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her. Such as by a written statement, including by electronic means, or an oral statement.”
- An ‘affirmative act’ means the data subject has to opt-in. You must not assume consent, for example by using pre-ticked boxes on your website.
- ‘Freely given’ means the data subject has to have genuine choice: they must not suffer any detriment if they refuse consent.
- ‘Specific and informed’ means you must clearly explain what they are consenting to: a vague or incomprehensible request for consent will be invalid.
If you choose to rely on consent, you must keep proper records, as required by Article 7(1):
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
Withdrawal of Consent
This is particularly important because data subjects have the right to withdraw their consent at any time.
It must be as easy for them to withdraw their consent as it was to provide it in the first place. If they do withdraw their consent, you will be obliged to erase their data “without undue delay” when asked by them to do so. However, if you demonstrate you have a lawful reason to retain it, you may do so. This reason must be recorded internally.
Many people, and organisation, focus on consent, but it’s arguably the weakest lawful basis for processing because it can be withdrawn at any time. It is therefore always worth determining whether another lawful basis for processing can apply.
For example, when you process staff data for payroll purposes, contractual obligations will apply, as staff will have signed a contract of employment.
You can rely on contractual obligations when:
- If you have a contract with someone and need to process their personal data to comply with your obligations as part of that contract; or
- You don’t yet have a contract with someone, but they’ve asked you to do something as an initial step (for example, provide a quote) and you need to process their personal data to do so.
In this context, a contract doesn’t have to be a formal legal document. It can be a simple document that meets the requirements of contract law. An oral statement will also count. The processing you carry out must be necessary for the purposes of fulfilling your contractual obligations. This lawful basis will not apply if there are other ways of meeting those obligations.
If you process sensitive data as part of a contract, you’ll also need to identify a separate condition for processing that data.
You can rely on legal obligations if you need to process personal data to comply with a common law or statutory obligation. It should be clear from the law in question whether processing is necessary for compliance. Once again it is important that proper record keeping take place. However, you must be able to identify the specific legal provision you’re complying with. Alternatively, you must show the guidance or advice that sets out your legal obligation.
The vital interests basis applies if it’s necessary to process personal data to protect someone’s life. This applies to any life, not just that of the data subject.
“Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis.”
It is unlikely to apply except in cases of emergency medical treatment.
If your organisation needs to process personal data “for the performance of a task carried out in the public interest” or “in the exercise of official authority” (Recital 50), you can do so using this lawful basis.
You don’t need a specific statutory power to process personal data. However, you must have a clear basis in law, which you must document. The Data Protection Act of 2018 clarifies that this includes processing necessary for:
- The administration of justice
- Exercising a function of either House of Parliament
- carrying out a function conferred on a person by an enactment or rule of law
- Exercising a function of the Crown, a Minister of the Crown or a government department, or
- An activity that supports or promotes democratic engagement.
Data subjects’ rights to erasure and data portability do not apply if you are processing on this basis. However, they do have a right to object.
This the most flexible of the six lawful bases of the GDPR Processing Lawful Bases for processing. Legitimate interests could, in theory, apply to any type of processing carried out for any reasonable purpose.
Article 6(1f) states that processing is lawful if, and to the extent that:
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
Now, this gives you a lot of room for interpretation. You might say that the definition is unhelpfully vague. The burden is on you to determine whether or not your interests in processing the personal data really are legitimate.
The ICO (Information Commissioner’s Office) has published a three-part test, covering purpose, necessity and balancing.
Numerous interests can be legitimate, including your interests, third parties’ interests and commercial interests. These interests must be balanced against those of the data subject(s)’.
Legitimate or Contractual?
The GDPR states that processing client or employee data is legitimate. This can also be contractual. Operations such as marketing, fraud prevention, intra-group transfers or IT security are also potential legitimate interests. However, this is not exhaustive list.
The important thing to consider is that ‘legitimate interests’ is most likely to be appropriate. This is if you are using personal data in ways that the data subjects would deem reasonable. Also, where the the processing has a minimal impact on their privacy. However, you must determine how you have decided that the data subject would deem the processing reasonable.
Consequently, it’s your record-keeping that will prove vital. If you can demonstrate that you’ve carried out a full LIA (legitimate interest assessment), the supervisory authority should be satisfied. Remember that if you use legitimate interests as your basis for processing personal information as part of your marketing activities, the data subjects’ right to object is absolute: you must stop processing if anyone objects.
You should also check your compliance with the PECR (Privacy and Electronic Communications Regulations 2003).
Don’t forget, if you choose to rely on legitimate interests, the right to data portability will not apply.
DPO as a service
If you need advice on determining your GDPR Processing Lawful Bases for personal data, you should consider outsourcing a DPO (data protection officer).
Our DPO as a service offering enables you to outsource the DPO role to an expert. This helps you meet your GDPR obligations without losing focus on your core business activities.
Therefore, if you would like to know more, please call us on 03333 22 1011 or contact us here. You can book a GDPR Processing Bases review call here. Our DPO service will deliver the peace of mind you may crave. We’re here to help you sleep at night.